ChipSoft’s statement on 28 April sounds like the matter has been resolved.

But it hasn’t.

“All stolen data has been destroyed” – at least, that is what the company is saying. What ChipSoft fails to mention is how they can be so sure, whether the hackers have a copy, and whether a ransom was paid.

Understandable perhaps, but for management and the supervisory board, this is precisely the moment to ask the right questions.
Because a statement is not proof. And the difference between the two is greater than it seems.

What we see in practice, and what incidents of this kind expose time and again, is that organisations are aware of their dependence on their suppliers to some extent, but have not really documented it anywhere.
Not linked to processes, not to risks, not to who is responsible if things go wrong.

So when something does happen, everyone intuitively knows that it hurts, but no one knows exactly where, how deeply, or who is at the root of the problem. That is an uncomfortable position to be in as a director.
The same applies to decision-making following an incident.

What considerations were made, by whom, and based on what information?
If you cannot reconstruct that, you don’t really have a recovery process but merely a narrative.
And regulators don’t want a narrative; they want a trail.

IRM360 addresses precisely this issue: how do you ensure that dependencies, risks, decisions and the associated evidence are not scattered across separate documents and email threads, but are instead organised within a single structure that you can actually demonstrate?
Not because it looks neat, but because demonstrable control is something fundamentally different from a sense of calm that can be communicated.
The risk lies not only in the attack itself. It lies in what you can prove afterwards.